Tuesday, 15 January 2013

[EN] Mantis Bug Tracker 1.2.12 Persistent XSS

few minutes ago I found an old nice persistent XSS in latest version of Mantis Bug Tracker (1.2.12).

Persistent XSS for admin

This vulnerability exists for admin user, but same could be in other part of this webapp.

Update : 18.01.2013Few minutes ago I spoke again with Developer Team.After this little chat I have surprise for you: new Mantis BT is comming! :)

Update 21.01.2013As you can see now (in comments) MantisBT is available for download and soon you can getbrand new version. Patch for this vulnerability, for now is available here .Once again I would like to thanks MantisBT Team for a fast reply, great knowledge and excellent work! :)Cheers! o/

2 comments:

Please refer to http://www.mantisbt.org/bugs/view.php?id=15373 for further details on the issue as well as the relevant patch.

MantisBT 1.2.13 will be released soon (probably sometime next week). Until then, can either apply the patch mentioned in the above link manually, or download a nightly build dated 18-Jan-2013 or later from http://www.mantisbt.org/builds/